Cisco Secure Unique Device Identifier (SUDI) certificates on certain Cisco products will expire either on [Date of Manufacture + 10 Years] or on May 14th, 2029 (2029-05-14), whichever is earlier.
If a Cisco product may be adversely impacted by an expired SUDI, a Field Notice (FN) with all relevant details will be published to address the issue. Please see the reference links at the bottom of this article for a list of already published field notices. This article provides additional information about SUDI certificates and this issue.
Question 1: What is SUDI?
Answer: The Secure Unique Device Identifier, or SUDI, is an IEEE 802.1AR-compliant secure device identity in an X.509v3 certificate which maintains the product identifier and serial number. The identity is implemented at manufacturing and is chained to a publicly identifiable root certificate authority. The SUDI can be used as an unchangeable device identity for configuration, security, auditing, and management. The SUDI certificate, the associated key pair, and its entire certificate chain are stored in the tamper-resistant Trust Anchor module (TAm) chip. Furthermore, the key pair is cryptographically bound to a specific Trust Anchor chip and the private key is never exported. This feature makes cloning or spoofing the identity information virtually impossible.
The SUDI can be used for asymmetric key operations such as encryption, decryption, signing, and verifying that allow passage of the data to be operated upon. This capability makes remote authentication of a device possible. It enables accurate, consistent, and electronic identification of Cisco products for asset management, provisioning, version visibility, service entitlement, quality feedback, and inventory management.
Question 2: What is the issue with original SUDI certificate?
Answer: Since introduction, SUDI certificates were issued with an expiration date of 10 years from date of manufacture, or on May 14, 2029 (whichever came first). Therefore, without intervention, a device manufactured prior to May 2019 will have its device certificate expired when it reaches the 10-year mark. A device manufactured after May 14th, 2019 will have a SUDI certificate lifetime of fewer than 10 years and will expire on May 14, 2029. Although devices with expired SUDI certificates will continue to operate (i.e. they will boot up and run without errors), certain features such as: HTTPS/TLS, PKI/RA, SSH, PnP which rely on SUDI-based network authentication may not function after the certificate expires.
Question 3: What is Cisco doing to address the SUDI expiry issue?
Answer: New Cisco Certificate Authorities are issuing SUDI certificates called SUDI-2099 certificates that are valid until the end of the century (December 2099).
Question 4: How do I know if my product is potentially impacted by an expired SUDI?
Answer: For route/switch processors, standalone Cisco Routers and Switches, Optical, IP Phones, Wireless Access Points/Controller, IoT devices and Datacenter Server products these features may be impacted when the device’s SUDI certificate expires if they provide the following features using device’s SUDI certificate for authentication over the network:
Zero Touch Provisioning (ZTP) using a non-Cisco ZTP server
Question 5: Are there cases that impacted products will still function with an expired SUDI?
Answer: There are use cases that a SUDI certificate with a 2029 or earlier expiration date will not impact your device’s functionality upon expiry and therefore, no actions are required on the customer side. These use cases include:
Cisco IOS-XR based products are not impacted.
Cisco Zero-Touch Provisioning (ZTP) solutions (i.e. Cisco device Plug-and-Play (PnP) Connect feature) with Cisco DNA-C have been updated to ignore the expired SUDI.
Cisco SD-WAN (Viptela) solution will be updated with a fix. This update will be completed before existing SUDIs first expire in 2024.
Cisco Meraki dashboard will be updated with a fix. This update will be completed before existing SUDIs first expire in 2026.
Cisco Multiplatform Phones (MPP) fielded units will be updated with a fix. This update will be completed before existing SUDIs first expire in 2023.
Cisco NCS2K Optical will be updated with a fix. This update will be completed before existing SUDIs first expire in 2023.
Cisco Expressway will be updated with a fix. This update will be completed before existing SUDIs first expire in 2026.
Cisco ACI-Nexus 9000will be updated with a fix. This update will be completed before existing SUDIs first expire in 2024.
Question 6: How do I check my impacted product’s SUDI certificate expiration date?
Answer: If your product uses SUDI for network authentication, you can use the following commands for showing your SUDI certification expiration date:
For impacted IOS/IOS-XE based products:
# show crypto pki certificate
Look for Validity Date ‘end date:’ of the CISCO_IDEVID_SUDI Trustpoints with the command output. Example:
start date: 00:03:04 UTC Nov 24 2015
end date: 00:03:04 UTC Nov 24 2025
Associated Trustpoints: CISCO_IDEVID_SUDI
For impacted NXOS based product:
Use the following OpenSSL command on each of the SUDI certificate file.
Customers can post their questions to email@example.com. In case customers have a technical issue or need technical support on SUDI certificate, please open a support TAC case with Cisco Technical Support.
HelloPlease here iam running with my ASA5606-x Firepower. Unfortunatly me LAN side arnt possible to reach the (ISP) Internet. Ping inside the LAN are possible also ping the firewall are ok. i think the configuration are mede simple g1/1 WAN - Outside...
Dear Community,I read in a post online recently that in some instances pushing policy to your FTD's from the FMC may cause the Snort process to restart, potentially causing traffic disruption. I was wondering if the following actions may cause traffic dis...
Hi community, I have a General Question regarding the "Basic" licensing of the ISE.We have now have similar to the DNA licenese:- Essentials- Advanage- PremierLicense band, different Terms and so on.But:Do I Need a License per device (like a switch) ...
I just setup a new ASAv in Azure and was testing AnyConnect. I can login find but once the connection is established, it disconnects my network connection. I thought maybe it was just my computer so I had someone else try it and the same thing happened.. ...